How can single internal authoritative dns resolve external names?
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How can single internal authoritative dns resolve external names?
I've been looking at different resources/literature for bind and DNS in general and I do not understand a particular setup for DNS.
In my case, I'm trying to understand how an authoritative name server which is a primary for a zone and is internal can resolve external names?
I know there are likely tons of things that can impact how this can be answered but let's assume this entity does not have a DMZ. By extension, we can also leave out any split DNS kind of solution. Let's also assume we're using BIND for this DNS and leave out any dependencies on supporting Windows. Let's imagine only a firewall and a gateway going to the Internet. In other words, it is a screened firewall kind of setup and nothing more. The authoritative name server serves an internal local domain/zone inside for the private networks/hosts internally that are in scope. It is the master for this zone.
Based on the stuff I've read so far, the best practice seems to be that authoritative servers are not to be caching servers and are not to allow recursive queries.
From what I understand about DNS, a server needs to be recursive to allow for external names to be resolved or otherwise needs to supply a server that can resolve the query (in other words, a resolver).
Going by this logic, and trying to meet that particular best practice with this very finicky imaginary setup, would the configuration on the authoritative server require a forwarder to an ISP resolver to be specified for internal clients to be able to resolve external names or is that not the correct solution in this case? Is this a limitation in bind or DNS in general?
I've been looking at different resources/literature for bind and DNS in general and I do not understand a particular setup for DNS.
In my case, I'm trying to understand how an authoritative name server which is a primary for a zone and is internal can resolve external names?
I know there are likely tons of things that can impact how this can be answered but let's assume this entity does not have a DMZ. By extension, we can also leave out any split DNS kind of solution. Let's also assume we're using BIND for this DNS and leave out any dependencies on supporting Windows. Let's imagine only a firewall and a gateway going to the Internet. In other words, it is a screened firewall kind of setup and nothing more. The authoritative name server serves an internal local domain/zone inside for the private networks/hosts internally that are in scope. It is the master for this zone.
Based on the stuff I've read so far, the best practice seems to be that authoritative servers are not to be caching servers and are not to allow recursive queries.
From what I understand about DNS, a server needs to be recursive to allow for external names to be resolved or otherwise needs to supply a server that can resolve the query (in other words, a resolver).
Going by this logic, and trying to meet that particular best practice with this very finicky imaginary setup, would the configuration on the authoritative server require a forwarder to an ISP resolver to be specified for internal clients to be able to resolve external names or is that not the correct solution in this case? Is this a limitation in bind or DNS in general?
DNS is something like a heirarchical database system. Each node that is NOT authoritative has one or more parent nameservers from which it can request lookups. Every one that IS authoritative has a zone for which it is the ultimate authority, and for everything else it has one or more parent nameservers from which it can request lookups. A lookup parses the tree until it either finds the authoritative nameserver for that zone, or a nameserver that has cached record for that specific lookup that have not times out. (TTL has not expired, so it is recent). Once the lookup is satisfied the answer traverses the tress back to the originating node and it gets the answer.
Your Bind server is only authoritative for that local zone, it forwards any queries outside that zone that it has not the records for to a higher authority. Generally (not always) the higher authority may be the ISP nameservers.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
